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■^r ' Abstract 



^\ ' One clock alternating timed automata (OCATA) have been recently introduced 

as natural extension of (one clock) timed automata to express the semantics of 
MTL nil . We consider the application of OCATA to problem of model-checking 
MITL formulas (a syntactic fragment of MTL) against timed automata. We intro- 



y^^ , duce a new semantics for OCATA where, intuitively, clock valuations are intervals 

C/3 ' instead of single values in R. Thanks to this new semantics, we show that we can 

O I bound the number of clock copies that are necessary to allow an OCATA to recog- 

nise the models of an MITL formula. Equipped with this technique, we propose 
a new algorithm to translate an MITL formula into a timed automaton, and we 
^ ' sketch several ideas to define new model checking algorithms for MITL. 

oo ; 1 Introduction 

(N 

■.— j- \ Automata-based model-checking H [T3] is nowadays a well-established technique for 

C^ i establishing the correctness of computer systems. In this framework, the system to 

CO ' analyse is modeled by means of ?l finite automaton A whose accepted language consists 

of all the traces of the system. The property to prove is usually expressed using a 
temporal logic formula $, whose set of models is the language of all correct executions. 
For instance, the LTL formula D [p =^ ()q) says that every p-event should eventually 
^ be followed by a q-event. Then, establishing correctness of the system amounts to 

j^ I showing that the language L{A) of the automaton is included in the language [$] of 

the formula. In practice, automata-based model checking algorithms first negate the 
formula and translate -1$ into an automaton A^,s> that recognises the complement of 
1$]], i.e., the set of all erroneous traces. Then, the algorithm proceeds by computing 
the synchronous product A x A^^ and check whether L{A x A-,^) — 0, in which case 
the system respects the property. 

While those techniques are now routinely used to prove the correctness of huge 
systems against complex properties |3|, the model of finite automata and the classi- 
cal temporal logics such as LTL are sometimes not expressive enough because they 
can model ihe possible sequences of events, but cannot express quantitative properties 
about the (real) time elapsing between successive events. To overcome these weak- 
nesses, Alur and Dill 11] have proposed the model of timed automata, that extends 
finite automata with a finite set of (real valued) clocks. A real-time extension of LTL 



is the Metric Temporal Logic (MTL) that has been proposed by Koymans O and con- 
sists in labeling the modalities with time intervals. For instance 0{p =^ 0[i,2]9) 
means 'at all time, each p should be followed by a q-event that occurs between 1 and 
2 time units later' . Unfortunately, the satisfiability and model-checking of MTL are 
undecidable on infinite words |7|, and non-primitive recursive on finite words 1 12|. 

An interesting alternative is the Metric Interval Temporal Logic (MITL), that has 
been proposed by Henzinger et al. |2|. MITL is a syntactic fragment of MTL where 
singular intervals are disallowed on the modalities. Thanks to this restriction, MITL 
model-checking is ExpSpace-c, even on infinite words. MITL thus seems a good 
compromise between expressiveness and complexity. In their seminal work, Henzinger 
et al. provide a construction to translate an MITL formula $ into a timed automaton 
S$, from which the automaton-based model checking procedure sketched above can 
be applied. Although this procedure is foundational from the theoretical point of view, 
it does not seem easily amenable to efficient implementation: the construction is quite 
involved, and requests that S$ be completely built before the synchronous product with 
the system's model can be explored. Note that an alternative technique, based on the 
notion of signal has been proposed by Maler et al. 1 10|. However the semantics of 
MITL assumed there slightly differs from that of |2|, whereas we stick to the original 
MITL semantics. 

Since MITL is a syntactic fragment of MTL, all the techniques developed by Ouak- 
nine and Worrell ifTTI for MTL can be applied to MITL. Their technique relies on the 
notion of alternating timed automaton with one clock (OCATA), an extension of timed 
automata. Intuitively an OCATA can create several copies of itself that run in parallel 
and must all accept the suffix of the word. For example. Fig. [T]displays an OCATA. 
Observe that the arc starting from Iq has two destinations: ^o and ti. When the au- 
tomaton is in £o with clock valuation v, and reads a a, it spawns two copies of itself: the 
first reads the suffix of the word from (^o, v), and the latter from (£i , 0) (observe that 
the clock is reset on the branch to £i). Then, every MITL formula $ can be translated 
into an OCATA ^$ that recognises its models [11]. The translation has the advan- 
tage of being very simple and elegant, and the size of A<i, is linear in the size of <1>. 
Unfortunately, one cannot bound a priori the number of clock copies that need to be 
remembered at all times along runs of an OCATA. Hence, OCATA cannot, in general, 
be translated to timed automata f9l. Moreover, the model-checking algorithm of |TT| 
relies on well-quasi ordering to ensure termination, and has non-primitive recursive 
complexity. 

In the present work, we exploit the translation of MITL formulas into OCATA fTTTj 
to devise new, optimal, and - hopefully - elegant and simple algorithms to translate 
an MITL formula into a timed automaton. To achieve this, we rely on two techni- 
cal ingredients. We first propose (in Section |3) a novel interval-based semantics for 
OCATA. In this semantics, clock valuations can be regarded as intervals instead of 
single points, thus our semantics generalises the standard one IflTI . Intuitively, a state 
(£, /) of an OCATA in the interval-based semantics (where f is a location and / is an 
interval) can be regarded as an abstraction of all the (possibly unbounded) sets of states 
{(£, vi), {£, V2), ■■■,{£, Vn)} of the standard semantics with Vi ^ I for all i. Then, we 
introduce a family of so-called approximation function that, roughly speaking, asso- 
ciate with each configuration C of the OCATA in the interval-based semantics, a set of 



configurations that are obtained from C by merging selected intervals in C. We rely 
on approximation functions to bound the number of clock copies that are present in all 
configurations. Our main technical contribution (Section |4]i then consists in showing 
that, when considering an OCATA ^$ obtained from an MITL formula $, combining 
the interval semantics and a well-chosen approximation function is sound, in the sense 
that the resulting semantics recognises i($), while requesting only a bounded num- 
ber of clock copies. Thanks to this result, we provide an algorithm that translates the 
OCATA A<^ into a plain timed automaton that accepts the same language. 

From our point of view, the benefits of this new approach are as follows. From the 
theoretical point of view, our construction is the first that relies on OCATA to trans- 
late MITL formulas into timed automata. We believe our construction is easier to 
describe (and thus, hopefully, easier to implement) than the previous approaches. The 
translation from MITL to OCATA is very straightforward. The intuitions behind the 
translation of the OCATA into a timed automaton are also quite natural (although the 
proof of correctness requires some technicalities). From Xhs practical point of view, our 
approach allows us, as we briefly sketch in Section|5] to envision efficient model check- 
ing algorithms for MITL, in the same spirit of the antichain approach |5| developed for 
LTL model checking. Note that the key ingredient to enable this antichain approach is 
the use of alternating automata to describe the LTL formula. Our contribution thus lay 
the necessary theoretical basis to enable a similar approach in a real-time setting. 

Remark Owing to lack of space, most of the proof are in the appendix. 

2 Preliminaries 

Basic notions. Let M (K+, N) denote resp. the sets of real (non-negative real, natural) 
numbers. We call interval a convex subset of R. We rely on the classical notation (a, b) 
for intervals, where ( is ( or [, ) is ) or ], a G K and 6 G M U {+00}. For an interval 
/ — {a, b), we let inf (/) = a be the infimum of /, sup(/) = fe be its supremum (a 
and 6 are called the endpoints of /) and |/| = sup(/) — inf (/) be its length. We note 
I(R) the set of all intervals. Similarly, we note I(M+) (resp. I(Rn)) the set of all 
intervals whose endpoints are in K.+ (resp. in N U {+00}). Let / £ I(R) and t £ R, 
we note I + t for {i + i e R | i G /}. Let / and J be two intervals, we let / < J iff 
yi e I,yj € J : i < j. For I G X(R), -y G R and ixi e {<, >}, we note: / ex w iff 
Wi G I,i txiv. 

Let E be a finite alphabet. A word on a set 5 is a finite sequence s = si . . . s„ 
of elements in S. We denote by \s\ — n the length of s. A time sequence f = 
TiT2T'i ... T„ is a word on R+ s.t. Vi < |f|, r^ < r^+i. A timed word over E is a 
pair 9 = (a, f) where ct is a word over E, f a time sequence and \a\ = Ifj. We also 
note 9 as (ai, Ti)(cr2, T2)((T3, T3) . . . (cr„, t„), and let \6\ = n. A timed language is a 
(possibly infinite) set of timed words. 

Metric Interval Time Logic. Given a finite alphabet E, the formulas of MITL are 
defined by the following grammar, where a G E, / G I(Rn) : 

(p:= T I a I ipi/\ip2 I -■(/? I ipiUnp2- 



We rely on the following usual shortcuts ()iip stands for TUjip, Ojif for -iO/~"p, 
ipiUnp2 for ^{-^ipiUi^ip2), ^V for □[o.oo)'/' and ()ip for 0[o,oo)'/'- 

Given an MITL formula $, we note Sub{^) the set of all subformulas of $, i.e. : 
Suh ($) = {$} when $ e {T} U S, ^wfe (-y') = {-¥'} U S'ufo (93) and Sub ($) = 
{$} U Sub ((^1) U S'm6 ((^2) when <1> = (fiUnp^ or <1> = </5i A </?2- We let |$| denote 
the size of^, defined as the number of U or U modalities it contains. 

Definition 1 (Semantics of MITL). Given a timed word 6 ~ {a, f) over S, a position 
1 < i < \0\ and an MITL formula $, we say that 6 satisfies '^ from position i, written 
{9, J) 1= $ iff the following holds : 

{6,i) \= (T -ip^ (Ti = a 

{9, i) \=: ipi A (f2 ^ (9, i) \= ipi and {9, i) \= (p2 

{9,i)^^^^(9,i)\^^ 

{9, i) \^ ipiUiip2 "^ 3i < J < \9\, such that {9, i) |= (^2, tj — ti E I and\fi < 
k < j, {9, k) h Vi 

We say that 9 satisfies $, written 9 \= <^, iff {9, 1) ^ *• We note m = {9 \ 9 ^ $}. 

Observe that, for all MITL formula $, |$]] is a timed language and that we can 
transform any MITL formula in an equivalent MITL formula in negative normal form 
(in which negation can only be present on letters cr G S) using the operators : A, V, ^, [// 
and [//. 

Example 1. We can express the fact that 'every occurrence of p is followed by an 
occurrence of q between 2 and 3 time units later' by: n(p => 0[2,3]'3')- Its negation, 
-i(n(p ^ 0[2,3]9)). is equivalent to the following negative normal form formula: 

Tf/[o,+oo)(pA L C/[2,3]-"Z)- 

Alternating timed automata. Let us now recall lfT2l the notion of (one clock) al- 
ternating timed automaton (OCATA for short). As we will see, OCATA define timed 
languages, and we will use them to express the semantics of MITL formula. Let T{L) 
be a set of formulas defined by the following grammar: 

7 := T I ± I 71 V 72 I 71 A 72 I t I xt<ic I X.7 

where c G N, ix G {<,<,>,>} and ^ G L. We call a; ix c a clock constraint. 
Intuitively, the expression x.7 means that clock x must be reset to 0. 

Definition 2 (112|). A one-clock alternating timed automaton (OCATA) is a tuple 
A ~ CS, L,£o, F,d) where S is a finite alphabet, L is a finite set of locations, £0 is 
the initial location, F C_ L is a set of accepting locations, S : L x "E ^ r(L) is the 
transition function. 



Figure 1: OCATA ^ 



We assume that, for all 71, 72 in r(L): x.(7i V 72) = a;. 71 V a;.72, x.{'^i A 72) = 
x.^i A a;. 72, x.x.^ — x.^, x.(a; Cxd c) = ixi c, x.T — T and x. L=L. Thus, 
we can write any formula of T{L) in disjunctive normal form, and, from now on, we 
assume that 5{l, a) is written in disjunctive normal form. That is, for all I, a, we have 
(5(^, a) — \J /\Aj,k, where each term Aj,k is of the form i, xl, a; [xa c or cxi c, with 

j k 

£ e i and c e N. We call arc of the OCATA A a triple {i, a, /\^ Aj^k) s.t. /\^ Aj^k is 
a disjunct in S{£, a). 

Example 2. As an example, consider the OCATA A in Fig. |7] over the alphabet E = 
{cr}. A has three locations Iq, ii and (.2, such that £0 is initial and £q and £1 are final. 
A has a unique clock x and its transition function is given by : S{iQ, a) — £q A x.ii, 
S{£i,a) = {£2 A X — I) V {£1 A X ^ 1) and 5{£2, c) = £2- The arcs of A are thus 
(£0, o;£o A x.£i), {£i,a,£2 A x = 1), {£i,a,£i A x 7^ 1) and {£2, c, ^2)- Observe that, 
in the figure we represent the (conjunctive) arc {£q, a, £q A x.£i) by an arrow splitting 
in two branches connected resp. to £0 and £1 (possibly with different resets: the reset 
of clock X is depicted by x := Oj. Intuitively, taking the arc {£Q,a,£o A x.£i) means 
that, when reading a a from location £q and clock value v, the automaton should start 
two copies of itself, one in location £0, with clock value v, and a second in location £1 
with clock value 0. Both copies should accept the suffix for the word to be accepted. 
This notion will be defined formally in the next section. 



3 An intervals semantics for OCATA 

The standard semantics for OCATA ifTTl |9l is defined as an infinite transition system 
whose configurations are finite sets of pairs {£, v), where f is a location and v is the 
valuation of the (unique) clock. Intuitively, each configuration thus represents the cur- 
rent state of all the copies (of the unique clock) that run in parallel in the OCATA. The 
transition system is infinite because one cannot bound, a priori, the number of different 
clock valuations that can appear in a single configuration, thereby requiring peculiar 
techniques, such as well-quasi orderings (see 1 12 1) to analyse it. In this section, we in- 
troduce a novel semantics for OCATA, in which configurations are sets of states {£, I), 
where £ is a location of the OCATA and / is an interval, instead of a single point in 
K+. Intuitively, a state {£,!) is an abstraction of all the states {£,v) with w G /, in 
the standard semantics. We further introduce the notion of approximation function. 
Roughly speaking, an approximation function associates with each configuration C (in 
the interval semantics), a set of configurations that approximates C (in a sense that wiU 
be made precise later), and contains less states than C. In section IH we will show 



that the interval semantics, combined to a proper approximation function, allows us to 
build, from all MITL formula $, an OCATA A<j, accepting [[$|, and whose reachable 
configurations contain a bounded number of intervals. This will be the basis of our 
algorithm to build a timed automaton recognising $ (and hence performing automata- 
based model-checking of MITL). 

We call state of an OCATA A = (S, L, Iq, F, d) a couple (i, I) where £ e L and 
I e I(R+). We note S = L x I(M+) the state space of ^. A state (£, /) is accepting 
iff i ^ F. When / = [v,v] (sometimes denoted / = {v}), we shorten {£,!) by 
{£, v). A configuration of an OCATA A is a (possibly empty) finite set of states of A 
whose intervals associated to a same location are disjoint. In the rest of the paper, we 
sometimes see a configuration C as a function from L to 2-^*^" ^ s.t. for all i £ L: 
C{(.) = {I I {£, I) e C}. We note Config (A) the set of all configurations of A. The 
initial configuration of A is {(^o, 0)}. A configuration is accepting iff all the states 
it contains are accepting (in particular, the empty configuration is accepting). For a 
configuration C and a delay t G M+, we note C+t the configuration {{£, I+t)\{£,I) g 
C}. From now on, we assume that, for all configurations C and all locations £: when 
writing C{£) as {/i, . . . , /„i} we have li < J^+i for all 1 < i < to. Let £' be a finite 
set of intervals from I(M+). We let |t£'|| = \{[a,a\ £ £'}| + 2 x |{/ e £■ | inf(/) ^ 
sup(/)} denote the number of clock copies of E. Intuitively, ||_E|| is the number of 
individual clocks we need to encode all the information present in E, using one clock 
to track singular intervals, and two clocks to retain inf (/) and sup(/) respectively for 
non-singular intervals /. For a configuration C, we let ||C|| — J2eeL I1C'(^)||- 

Interval semantics. Our definition of the interval semantics for OCATA follows the 
definition of the standard semantics as given by Ouaknine and Worrell flTl, adapted 
to cope with intervals. Let M E Config (A) be a configuration of an OCATA A, and 
/ G I(M+). We define the satisfaction relation "|=/" on r(L) as: 

M h/ T M \=i £ iff {£, I) G M 

M \=i ji A 72 iff M \=i 7i and M ^/ 72 M \=i x txc iff Vx G /, x ixi c 

M ^/ 71 V 72 iff M \=i 71 or M ^/ 72 M \=i x.j iff M |=[o,o] 7 

We say that M is a minimal model of the formula 7 G r(L) with respect to the interval 
/ G X(M+) iff Af 1=/ 7 and there is no M' C M such that M' |=/ 7. Remark that 
a formula 7 can admit several minimal models (one for each disjunct in the case of a 
formula of the form 7 = VA^i.fe)- Intuitively, for £ e L,a e H and / G 2:(M+), 

j k 

a minimal model of S{£, a) with respect to / represents a configuration the automaton 
can reach from state {£, I) by reading a. The definition of M \=j x ixi c only allows to 
take a transition S{£, a) from state {£, I) if all the values in / satisfy the clock constraint 

X ixi c of (5(£, (t). 

Example 3. Let us consider again the OCATA of Fig. [7] A minimal model M of 
6{£i,(7) with respect to [L 5, 2] must be such that : M |=[i.5_2] {£i/\x =/= l)V(£2Aa:: = 
1). As 3v G [1-5,2] s.t. V ^ 1, it is impossible that M ^[1.5,2] x = 1. However, as 

Wv G [1.5, 2], V 7^ 1, M h[i.5,2] X ^ land so M [=[1.5,2] (^1 A a; ^ 1) V (£2 A a; = 1) 
iff M [=[1.5,2] ^1. i-^- (^ii[l-5,2]) G M. So, {(^1, [1.5, 2])} k f/ie Mn/^Me minimal 
modelo/(5(ii,cr) wrt[1.5,2]. 



Approximation functions. As stated before, our goal is to define a semantics for 
OCATA that enables to bound the number of clock copies. To this end, we define the 
notion of approximation function: we will use such functions to reduce the number 
of clock copies associated with each location in a configuration. An approximation 
function associates with each configuration Ca set of configurations C" s.t. ||C(^)|| < 
||C(£)|| and s.t. the intervals in C"(£), cover those of C{t), for all t. Then, we define 
the semantics of an OCATA A by means of a transition system Taj whose definition 
is parametrised by an approximation function f. 

Definition 3. Let A be an OCATA A. An approximation function is a function f : 
Config(^) ^ 2C°nfig(-A) St for all configurations C, for all C G f{C), for all 
locations £ £ L: (i) ||C"(£)|| < \\C{i)\\, (ii) for all I £ C{1), there exists J G C [i) 
s.t. I C J, {in) for all J £ C'{i), there are h.h G C{t) s.t. inf(J) = inf(/i) and 
sup( J) — sup(J2). We note APPj. the set of approximation functions for A 

Definition 4. Let A be an OCATA and let J G APP a be an approximation function. 
The /-semantics of A is the transition system Taj = (Config {A) , ^^, 
— > f) on configurations of A defined as follows: 

• the transition relation -^ takes care of the elapsing of time : \ft G K+ , C -^ 
C iffC = C + t.Welet^= \J -^. 

tGR+ 

• the transition relation — > takes care of discrete transitions between locations 
and of the approximation : C = {{ik, Ik)ki£K} — ^ C iff there exists a config- 
uration C" — y Mk s.t. (i) for all k: Mk is a minimal model ofS{ik, cf) with 

keK 

respect to Ik, and {ii) C G f{C"). We let — ¥f= [J -^f. 

creS 

We can now define the accepted language of an OCATA (parametrised by an ap- 
proximation function /). Let 6 — {a,f) be a timed word s.t. \d\ = n, and let 
/ G APP A be an approximation function. Let us note ti — Ti — r^-i for all 1 < 
i < \d\, assuming tq = 0. An f-run of ^ on is a finite sequence of discrete 
and continuous transitions in Taj that is labelled by 9, i.e. a sequence of the form: 

Co ~^ Ci — \-f C2 -^ C3 — \f ... -^ C2„-i — ^/ C2n- We say that an /-run is 
accepting iff its last configuration C2n is accepting and we say that a timed word is 
/-accepted by A iff there exists an accepting /-run of A on this word. We note Lf {A) 
the language of all finite timed words /-accepted by A. In the reset of the paper, we 

(sometimes) use the abbreviation Ci — ^/ Ci+2 for Gi -^ Ci+i ~ Ci+t — >f Ci+2- 
Observe that this interval semantics generalises the standard OCATA semantics 
IfTTI . This standard semantics can be recovered by considering TAjd, where Id is the 
approximation function such that IdiC) = {C} for all C. Indeed, in Ta.m, all the 
reachable configurations contain only states of the form {£, [a, a]), i.e., all intervals 
are singular So, each state {£, [a, a]) can be naturally mapped to a state {£, a) in the 
standard semantics. From now on, we denote Ljd{A) by L{A). 

Exampie 4. Let us consider again the OCATA A in Fig. [7] and the timed word 6 = 
(ct, 0)(iT, 0.2)(cr, 0.5), with \6\ — 3. Let / be the approximation function s.t. for all 



C e Config (A): f{C) = {C(4) U C{£2) U {(£i, [m/(/i), swp(/„)])}} ^/Cl^) = 
{/i, /2, . . . /m} 7^ (assuming, as mentioned before, that h < I2 < ■ ■ ■ < Im); and 
f{C) — {C} if C{ii) — 0. Thus, roughly speaking, f{C) always contains one con- 
figuration, which is obtained from C by merging all the intervals in C{£i) and keeping 

the rest of the configuration untouched. Then, an f-run on is: pi — {(^OjO)} — — > 

{(£0, 0), (f 1, 0)} ^^ {(4, 0.2), {h, [0, 0.2])} ^^ {(£0, 0.5), (4, [0, 0.5])}. Also, 

an Id-run on e is: ps = {(4,0)} ^ {(4, 0), (4, 0)} ^^ {(4, 0.2), (£1, 0), 

(4,0.2)} ^^^ {(4,0.5),(4,0),(£i,0.3),(4,0.5)}. Now, consider the timed word 

6' ^ e{a, 1.1). An /d-rMn on 9' is p^ = pa -*^^ {(4, 1-1), (4,0), (4, 0.6), (4, 0.9), 
(£1,1.1)} (hence 9' is Id-accepted by A), but A has no f-run on 9'. Indeed, letting 0.6 
t.u. elapse from pi's last configuration yields {(4, 1-1), (£1, [0.6, 1.1])} from which no 
transition can be fired, because [0.6, 1.1] satisfies neither x ^ 1 nor x = 1, which are 
the respective guards of the arcs from ii. 

In the rest of the paper we will rely mainly on approximation functions that enable 
to bound the number of clock copies in all configurations along all runs of an OCATA 
A. Let fc G N be a constant. We say that fk S APP_a is a k-bounded approximation 
function iff for all C G Config (A), for all C" G fk{C): \\C'\\ < k. 

Accepted language and approximations. Let us now study the relationship between 
the standard semantics of OCATA and the family of semantics obtained when relying 
on an approximation function that is different from Id. We show that introducing 
approximations does not increase the accepted language: 

Proposition 1. For all OCATA A for all f G APPa: Lf{A) C L{A). 

sketch. Let Co ~^ Ci -^ C2 ^ C3 ■ ■ ■ —^ C2n be an accepting /-run of A on 9, and 
let us build, inductively, an accepting Jd-run Dq ^ Di -^ D2 ^ D^- ■ ■ —^ D2n 
on 9 s.t. the following invariant holds: for all 1 < « < 2n, for all {£, [v,v]) G D^, 
there is (£,/) G Ci s.t. v € I. The base case is trivial since Co = -Do- For the 
inductive case, we first observe that the elapsing of time maintains the invariant. Thus, 
we have to show that each discrete step in the /-run can be simulated by a discrete 
step in the Id-ran that maintains the invariant. A a labeled discrete step from some 
configuration C2J+1 in the /-run consists in selecting an arc Og of the form {£, a, 7) 
for each s ~ (£, I) in C2J+1, whose guard is satisfied by /. Then, firing all these arcs 
yields a configuration E, and C2J+2 G I{E). From each s' = (£, [v,v]) in D2J+1, 
we fire the arc as where s ~ (£, I) is a state in C2J+1 s.t v E I. Such an s exists by 
induction hypothesis. Since the effects of the arcs are the same, and by properties of 
the approximation function, we conclude that D2J+2 and C2J+2 respect the invariant. 
In particular D2n and C2„ respect it, hence D2n is accepting. D 



4 From MITL to Timed Automata 

In this section, we present our new technique to build, from any MITL formula $, a 
timed automaton that accepts |$]. Our technique relies on two ingredients. First, we 



recall fTT\ how to build, from all MITL formula $, and OCATA A,s> s.t. L{A<s>) = |$]. 
This is not sufficient to obtain a timed automaton, as, in general, the semantics of 
an OCATA needs an unbounded number of clock copies, which prevents us from 
translating all OCATA into timed automata. The second ingredient is the definition 
of a family of bounded approximation functions /|,, s.t., for all MITL formula $, 
Lf*{A<^) = L{A<^). Since each /|, is a bounded approximation function, the num- 
ber of clock copies in the /|, -semantics of A<^ is bounded, which allows us to build a 
timed automaton B^ with the same semantics (thus, B^ accepts [$]). 

From MITL to OCATA. We begin by recalling ([121 how to build, from any MITL 
formula $ (in negative normal form), an OCATA A<i> s.t. L{A<i>) = [$]. We let 
.4$ = (E, L, £o, F, S) where: L is the set containing the initial copy of $, noted '^init\ 
and all the formulas of Sub{^) whose outermost connective is 'L/' or 'f/'; £o = ^init', 
F is the set of the elements of i of the form ipiUitp2. Finally S is definec0by induction 
on the structure of $: 



• 



• 



• 



Si^imt,cr) =x.(5($,ct) 

S{(pi W (p2,(j) = S{ipi,a) y d{(p2,cry,S{Lpi ALp2,cr) =S{ipi,a) A6(ip2,(j) 
S{(piUi(p2,(j) — {x.d{(p2,cr) A a; e /) V {x.6{(pi,a) A tfiUnp2 Ax < sup{I)) 
S{ipiUnp2,cr) = {x.S{ip2,(T) V X ^ I) A {x.S{ipi,a) V ipiUiip2 V x > sup{I)) 



Vcri,(T2 e E: S{ai,a2) 



Vcri,cr2 e E: (5(-iCri,(J2) = 



true if cri=(T2 
false if (71 7^ a2 

false ifcri=cr2 
true if (Ti 7^ (72 



• Vo- e E: (5(T, cr) = T and 5(_L, ct) = ±. 

To simplify the following proofs, we deviate slightly from that definition, and assume 
that if a formula of type (fiiUi(p2 or (piUi(p2 appears more than once as a sub-formula 
of $, the occurrences of this formula are supposed different and are encoded as differ- 
ent locations. With this definition, we have: 

Definition 1 (|[l2). For all MITL formula $.■ L{Ag.) = [[$1. 

Example 5. As an example consider the formula $i = n(a ^ 0[i.2]^). which is 
a shorthand for ±[/[o_+oo)('i ^ (TC/[i_2]&))- The OCATA Ai^,^ is given in Fig.^ 
(left), where the location l^j corresponds fo $i and the location £<) corresponds to 
Tt/[i 2]&. One can check that this automaton follows strictly the above definition, after 
simplification of the formulas, except that we have remove the $,;„if location and used 



'Remark that in fl2l, the authors are concerned with MTL, but since MITL is a syntactic fragment of 
MTL, the procedure applies here. 

^Remark that the x < sup{I) and x > sup{I) conditions in the resp. definitions oi S{ipiU[(p2, o") and 
S(flUnp2, o") have been added here for technical reasons. This does not modify the accepted language. 
Indeed, in tI2l . these conditions are given in the infinite word semantics of OCATA. 



Figure 2: (left) OCATA A.s>i with $i = a{a ^ 0[i,2]b). (right) The grouping of 
clocks. 



the i[j location as initial location instead, to enhance readability of the example (this 
does not modify the accepted language, in the present case). Observe the edge labeled 
byb,x G [1^2] from i(^, without target state: it depicts the fact that, after simplification: 
S{TU[i^2]b,b) = (a; £ [1)2]) V (T[/[i2]6). Intuitively, this means that, when the 
automaton has a copy in location '()' with a clock valuation in [1, 2], the copy can be 
removed/rom the automaton, because a minimal model ofx £ [1,2] wrt to a valuation 
vwithv e [1,2] w0. 

To help us build an intuition of the /^ function, let us consider the Id-run pi of 
■4$j on 9i = {a,0.1)(a,0.2){a,0.3){b,2) depicted in Fig.\3] Observe that 0i \= $i, 
and that pi 's last configuration is indeed accepting. Also note that, as in the example 
of Fig. [7] the number of clock copies necessary in the Id-semantics cannot be bounded. 
Now, let us discuss the intuition behind /|, by considering 0i again. Consider p'l the 
runprefix of pi ending in {{£d, 0.2), (£<), 0), {Iq, 0.1)}. Clearly, the last configuration 
of p'l can be over-approximated by grouping the two clock values and 0.1 into the 
smallest interval that contains them both, i.e. [0,0.1]. This intuitions is compatible 
with the definition o/ bounded approximation function, and yields the accepting run p'l 
depicted in Fig. \3\ Nevertheless, we must be be careful when grouping clock copies. 
Let us consider O2 — (a, 0.1)(a, 0.2)(a, 1.9)(6, 2)(6, 3) G \'^i\, as witnessed by p2 
depicted in Fig. |5] When grouping in the same interval, the three clock copies created 
in (.(^ (along P2) by the reading of the three a's (and letting further 0.1 time unit elapse) 
yields the run prefix of p'2 depicted in Fig.\3\ending in {(^n, 2), (^^, [0.1, 1.9])}. From 
the last configuration of this run, the edge with guard x G [1,2] and origin i() cannot be 
taken. Thus, the only way to extend this prefix is through p'2 (depicted in Fig. \3} which 
yields a run that does not accept 62. Obviously, by grouping the two clock copies 
created in i() by the two first a 's, and by keeping the third one apart, one obtains the 
accepting run p'2 (depicted in Fig. \3}. Fig. \2\ (right) shows the intuition behind the 
grouping of clocks. The two first positions (with ai = a2 = a) of the word satisfy $1, 
because of the b in position 4 (with T4 = 2), while position 3 (with 173 — a) satisfies $1 
because of the b in position 5 (with T5 = 3). This explains why we group the two first 
copies (corresponding to the two first a's) and keep the third one apart. 

The approximation functions /|,. Let us now formally define the family of bounded 
approximation functions that will form the basis of our translation to timed automata. 
We first give an upper bound Af ($) on the number of clock copies (intervals) we 
need to consider in the configurations to recognise an MITL formula $. The precise 
definition of the bound A/($) is technical and is given by induction on the structure of 
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Pi 



e.U {0} 0-1''^ {0.1} 0.1, a {0.2} 0.1, a {0.3} 



1.7,6 {2} 



{0} 



{0},{0.1} {0}, {0.1}, {0.2} 



Pi ,, 



{0} 0.1, a {0.1} 0.1, a {0.2} 0.1, a {0.3} 1.7,6 {2} 



{0} 



[0,0.1] 



[0,0.2] 



P2 



{0} 0.1, a {0.1} 0.1. a {0.2} 1.7,a {1.9} 



0.1,6 {2} 1,6 {3} 



{0} 



{0},{0.1} {0},{1.7},{1.8} {0.1} 



P2 



in {0} 0.1, a {0.1} 0.1, a {0.2} 1.7,a {1.9} 0.1,6 {2} 1,6 {3} 

,' >- >- >- >- -^ 



{0} 



[0,0.1] 



[0,1.8] 



[0.1,1.9] [2.1,2.9] 



la {0} 0.1,a {0.1} 0.1, a {0.2} 1.7,a {1.9} 0.1,6 {2} 1,6 {3} 



P2 



{0} 



[0,0.1] 



{0}, [1.7,1.8] {0.1,} 



Figure 3: Several OCATA runs. 



the formula. It can be found in the appendix. However, for all MITL formula $: 



M($) < |$| X max ( 4 x 



inf(/) 



2,2 X 



sup(/) 



where Z$ is the set of all the intervals that occur in (lo 

Equipped with this bound, we can define the /^ function. Throughout this de- 
scription, we assume an OCATA A with set of locations L. Let S — {{£, Iq), {£, Ii), 
■ ■■,{£, Im)} be a set of states of A, all in the same location i, with, as usual Iq < 
h < ■■■ < Im- Then, we let Merge (5) = {{i,[0,sup{h)]),{i, h), ■ ■ ■ A^Jrr.)} 
if Iq — [0,0] and Merge (5) = S otherwise, i.e.. Merge (S*) is obtained from S by 
grouping Iq and /i iff Iq — [0, 0], otherwise Merge (5) does not modify S. Observe 
that, in the former case, if Ii is not a singleton, then || Merge {S)\\ = ||5|| — 1. Now, we 
can lift the definition of Merge to configurations. Let C be a configuration of ^ and let 
A: e N. We let: 

Merge (C, k) = {C \ \\C'\\ < k andVl £ L : C'{£) £ {Merge (C(^)) , C{£)}} 

Observe that Merge (C, k) is a (possibly empty) set of configurations, where each con- 
figuration (i) has at most k clock copies, and (ii) can be obtained by applying (if 
possible) or not the Merge function to each C{£). Let us now define a family of k- 
bounded approximation functions, based on Merge. Let fc > 2 x |L| be a bound and 
let C be a configuration, assuming that C{£) = {/f , . . . , /^^ } for all £ G L. Then; 

, _ r Merge (C, k) If Merge (C, fc) ^ 

^^ " I {{e, [inf{li),supiCj]) I £ e L} otherwise 



The first component of the maximum comes from U and the second from U. 
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Roughly speaking, the F^ (C) function tries to obtain configurations C" that approx- 
imate C and s.t. ||C"|| < k, using the Merge function. If it fails to, i.e., when 
Merge (C, k) — 0, F^{C) returns a single configuration, obtained from C be group- 
ing all the intervals in each location. The latter case occurs in the definition of F^ 
for the sake of completeness. When the OCATA A has been obtained from an MITL 
formula $, and for k big enough (see hereunder) each G |$| will be recognised by 
at least one F'^'-run of A that traverses only configurations obtained thanks to Merge. 
We can now finally define /^ for all MITL formula $, by letting /^ = F^ , where 
K = max{2 x |L|, Af ($)}. It is easy to observe that /^ is indeed a bounded approxi- 
mation function. Then, we can show that, for all MITL formula $, the /^-semantics of 
Aij. accepts exactly 1$] . To obtain this result, we rely on the following propositiorQ 

Proposition 2. Let $ be an MITL formula, let K be a set of index and, Vfc e K, let 
^k = 'fii,kUi^ip2,k be subformulas of <^. For all k E K, let £$^, be their associated 
locations in A^. Let 6 — (a, f) be a timed word and let Jk S X(IR"'") be closed in- 
tervals. The automaton A^ Id-accepts 9 from configuration {(i'$^, Jfc)feG-R'} ijf^k G 
K, 3mk > 1 : (6', ruk) h '/'2 A r,„, G 4 - inf ( J^) A t„, G 4 - sup( Jfe) A VI < 

To illustrate this proposition, let us consider <1>2 = TU[2.3]b, the associated au- 
tomaton A<s,2 and the timed word 9 — (a, 0)(5, 1)(6, 2). Assume that Aip^ is in con- 
figuration C ~ {(^^a ; [0,2])} and we must read 9 from C. Observe that for all value 
y G [0, 2], there is a position m in 9 s.t. r„j G [2, 3] — y (i.e., r„i satisfies the tem- 
poral constraint of the modality), {9, m) ^ b and all intermediate positions satisfy 
T: VI < to' < TO, (61, to') ^ T. In other words, Vy G [0,2],(6i,l) ^ 'TU[2,3]-yb. 
Yet, the conditions of the propositions are not satisfied and, indeed, there is no ac- 
cepting Id-mn of ^$2 from C. Indeed, after reading the first (resp. second) b, the 
resulting configuration contains {l^^ ; [!> 3]) (resp. (£$2 , [2, 4])). In both cases, the in- 
terval associated to ^^^ does not satisfy the clock constraint x G [2, 3] of the transition 
x.S{T, b) A X € [2, 3] of Aq.^ that enables to leave location l^^- This example also 
shows that Proposition|2]cannot be obtained as a corollary of the results by Ouaknine 
and Worrell 1 12 J and deserves a dedicated proof as part of our contribution. 

The property given by Proposition|2]is thus crucial to determine, given an accepting 
run, whether we can group several intervals and retain an accepting run or not. This 
observation will be central to the proof of our main theorem: 

Definition 2. For all MITL formula $, /|, is a bounded approximation function and 

Lf^{A^)^LiA^) = m. 

sketch. By definition, /| is a bounded approximation function. Hence, by Proposi- 
tion[T] Lf* {A^) C L{A<s,). Let 9 = (tr, f) be a timed word in L{A<s,), and let us show 
that 9 G Lf* (Aq,), by building an accepting /^-run p' on 9. Since, 9 G L{A,s>), there 

is an accepting Id-mn p of A<i on 9. We assume that p — Co ^> id Ci — — ^— A/d 

C2--- "-'^"-"^"i C.. 

We build, by induction on the length of p, a sequence of runs pQ.pi, . . . , pn s.t. for 

all < j < n, pj = Dq — ^ — >id ■ ■ ■ ~ — "> _D^j is an accepting run on 9 with 



■^Stated here for the U modahty, a similar proposition holds for U. 

12 



the following properties: (i) for all < fc < j: D^ < 4 x i^^ + 2, and (m) 

assuming tq = 0: L*^ >id ■ ■ ■ >id J^n i^ an accepting id-run 

on e^-^^ = {aj+iaj+2 ■ ■ ■ (Tn, r'), where t' = (tj-+i - tj){tj+2 - tj) . . . (t„ - r,-), 
assuming r_i =0, i.e., ^-^ is the suffix of length n — j of 9, where all the timed stamps 
have been decreased by tj. Clearly, letting po = p satisfied these properties. We build 
Pk+i from pk, by first letting D^+\ i:>J^+\ . . . , 0^+^ = D^, D^,..., D^, and then 
showing how to build -D^tJ from -D^^j^ by merging intervals. Let £ (z L. We use the 
criterion given by Proposition|2]to decide when to group intervals in D'^^^ {£). Assume 
^fc+iW = {>^i.>^2,-.-,J™}. Then: 

• If L'|_|_j {£) is either empty, or a singleton, we let D^'+j {£) = D'I:_^_^ {£). 

• Else, if Ji ^ [0, 0], then the reading of Ck+i has not created a new copy in £ and 

weletDlXl{i)^D^,^,{£)too. 

• Else, Ji = [0,0] and we must decide whether we group this clock copy with J2 
or not. Assumqf|£ corresponds to the sub-formula ipiUiip2- Then: 

1. if 3to > 1 such that : {0''+^ , t,';+^) \= ip2 A r^+i e / - sup( J2) A t,^+i G 
/ A VI < to' < TO : (^'=+\T^,t^) h V'l, then, we let DI+1{£) = 
Merge (i?^+i(£)), 

2. else,weleti?^+i(^) = i?^+iW. 

We finish the construction of pk+i by firing, from Di^^l the same arcs as in the 
D^^^D'^^^ . . . D^ suffix of ph, using the /d-semantics. Proposition|2]guarantees that 
we have grouped the intervals in such a way that this suffix is an /d-accepting run on 
^fc+i pinally, we let p' — p„ which is an accepting run on 9. We finish the proof by a 
technical discussion showing that p„ is an /^-run. D 

From OCATA to timed automata. Let us show how we can now translate A^ into 
a timed automaton that accepts |$]]. The crucial point is to define a bound, Af ($), on 
the number of clocks that are necessary to recognise models of $. 

A timed automaton (TA) is a tuple B = {'S,L,£o,X,F,S), where E is a finite 
alphabet, L is finite set of locations, £0 E L is the initial location, X is a finite set of 
clocks, F C L is the set of accepting locations, and (5 C L x E x G{X) x 2^ x L 
is a finite set of transitions, where Q{X) denotes the set of guards on X, i.e. the 
set of all finite conjunctions of clock constraints on clocks from X. For a transition 
(£, a, g, r, £'), we say that g is its guard, and r its reset. A configuration of a TA is 
a parr {£, v), where v : X i-^ M+ is a valuation of the clocks in X. We denote by 
Config (B) the set of all configurations of B, and we say that {£, v) is accepting iff 

£ e F. For all t G R+, we have (time successor) {£,v) -^ {i',v') iff £ = £' and 
v' — V + t where v + tis the valuation s.t. for all x E X: {v + t){x) — v{x) + t. For 
all cr e E, we have (discrete successor) {£, v) — > {£' , v') iff there is {£, a, g, r, £') e 6 



^when I. corresponds to the sub-formula 'fiiUj'P2, we use the proposition similar to Proposition|2]for U 
to decide whether we group Ji with J2 or not. 
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s.t. V \^ g, for all x E r: v'{x) = and for aW x £ X \ r: v'{x) — v{x). We write 

{e,v) ^ {e,v') iff there is {r,v") e Config (S) s.t. {e,v) i> {r,v") A {i\v'). 
A timed word 9 — {a, f) with a — a\(j2 • • • Cn and f = t\T2 • • • t„ is accepted by 
S iff there is a rM« of B on 6*, i.e. a sequence of configurations (^i, wi),. . . , (£„, u„) 

s.t. for all < I < rt — 1: {£i,Vi) — — '> {£i+i, w^+i), where va assigns to all 
clocks, and assuming that r_i denotes 0. We denote by L{B) the language of B, i.e. 
the set of words accepted by B. 

We can now sketch the translation, the full details can be found in AppendixjC] Let 
$ be an MITL formula, and assume Aq, ~ (S, L'^,£q , i^*, (5*). Let us show how to 
build the TA i3$ = (S, L, 4, X, F, 5) s.t. L{B^) = Lf^ {A^). The TA S$ is built as 
follows. For a set of clocks X, we let loc(X) be the set of functions S that associate 
with each t e L* a finite sequence (a;i, yi), . . . , (x„, y„) of pairs of clocks from X, 
s.t. each clock occurs only once in all the S{(.). Then, L — loc(X). Observe that L is 
indeed a finite set. Intuitively, a configuration (5, w) of ;B$ encodes the configuration 
C of A^ s.t. foralR e L*: C(£) = {[u(x),w(y)] | (x, y) £ S'(^)}. The other 
components of ,B$ are defined as follows, i^ is s.t. ^0(^0) — (^' J/)' where x and y are 
two clocks arbitrarily chosen from X, and io{t) — for all (. e L* \ {^g }. X is a set 
of clocks s.t. \X\ = A/($). F is the set of all locations S s.t. {i \ S{(.) ^ 0} C F*. 
Finally, 5 allows S$ to simulate the /^.-semantics of A^ : the non determinism of 
5 enables to guess which clocks must be grouped to form appropriate intervals (see 
appendix for all the details). 

Definition 3. For all MITL formula $, B$ has M($) clocks ant/ 0((|$|)(™l*l)) lo- 
cations, where m — max/gj^ \ 2 



rinf(/)" 

1^1 


+ 1, 


rsup(/)] 

i-fi 



5 Future works: towards efficient MITL model check- 
ing 

Let us close this work by several observations that could yield efficient model checking 
algorithm for MITL. Let C be a timed automaton, and let $ be an MITL formula. Obvi- 
ously, one can perform automaton-based model checking by computing a TA i3-^$ ac- 
cepting |-i$]] (using the technique presented in Section|4] or the technique of |2|), and 
explore their synchronous product C x B^$ using classical region-based or zone-based 
techniques [1 1. This approach has an important drawback in practice: the number M 
of clocks of the B^$ TA is usually very high (using our approach or the [2] approach), 
and the algorithm exploring C x B^,^ will have to maintain data structures (regions or 
zone) ranging over N + M clocks, where N is the number of clocks of C. 

A way to avoid this blow up in the number of clocks is to perform the model- 
checking using the OCATA A-.<i, (using its /*^ semantics) instead of the TA B-..^,. 
First, the size of ^^$ is linear in the size of $, and is straightforward to build. Second, 
a configuration of C x A^<i, stores only the clocks that correspond to active copies of 
.4^$, which, in practice, can be much smaller than the number of clocks of B^$. Third, 
this approach allows to retain the structure of the OCATA in the transition system of 
C x ^-,$, which allows to define antichain based algorithms 0, that rely on a. partial 
order on the state space to detect redundant states and avoid exploring them. Such 
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an approach, has been applied in the case of LTL model-checking (5). It relies cru- 
cially on the translation of LTL formulas to alternating automata, and yields dramatic 
improvements in the practical performance of the algorithm. 

To obtain such algorithms, we need a symbolic data structure to encode the config- 
urations of C X A-,<i,. Such a data structure can be achieved by lifting, to our interval 
semantics, the technique from [111 that consists in encoding regions of OCATA config- 
urations by means of finite words. Remark that this encoding differs from the classical 
regions for TA [ 1 1, in the sense that the word encoding allows the number of clocks to 
change along paths of the transition system. 

These ideas explain what we believe are the benefits of using an OCATA based 
characterisation of MITL formulas. The precise definition of the model checking algo- 
rithm sketched above is the topic of our current research. 
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A Proof of Proposition [T] 



Before proving Proposition[T] we make several useful observations about the transition 
relation of an OCATA. Let S be the transition function of some OCATA, let £ be a 
location, let cr be a letter, and assume d{£, a) — \/ ■ aj, where each gj is an arc, i.e. a 
conjunction of atoms of the form: £', x.i', a; ex: c, txi c, T or ±. Then, we observe that 
each minimal model of S{i, <t) wrt some interval / corresponds to firing one of the arcs 
a j from (i, I). That, each minimal model can be obtained by choosing an arc gj from 
6{£, cr), and applying the following procedure. Assume gj — £i A- ■ ■ AinA a;.(^„+i A 
• • • A £m) A If, where iy9 is a conjunction of clock constraints. Then, aj is Arable from 
a minimal model {£, a) iff I \= ip (otherwise, no minimal model can be obtained from 
Qj). In this case, the minimal model is {{£i, /) | 1 < i < n} U {{£i, [0, 0]) \ n + 1 < 
i < m}. This generalises to configurations C — {{£i,Ii), . . . , {£,i,In)}'- successors 
C" are obtained by selecting a firable arc from each {£i, li), and taking the union of the 
resulting configurations. 
PropositionUl For all OCATA A, for all f G APPa: Lf{A) C L{A). 



Proof. Let us consider a timed word 9 — (cr, r) in Lf{A) and let us show that 9 G 

-3 -^f 



L{A). Let us assume that \9\ = n. Let p = {(4, [0, 0])} -^ Ci -^f C2 ^ C3 



. . . ~^ C2n-i — ^/ C271, for {(^Oi [O7O])} = Co be the accepting f-mnof Aon9, with 
{{£q, [0, 0])} — Co and where C2n is accepting. Let us build, from p, an accepting Id- 

run p' = Do^ Di — fjd D2 --> D3 — ^id • • ■ -^ D2n-i — ?/d £'2™ s.t.: 

1. I?o = {(4,[0,0])}, 

2. D2n is accepting, and 

3. for all 1 < i < n, for all {£, [v, v]) e D2i there is {£, I) £ C2i s.t. v e I 

We build p' by induction on the positions along p: 

Basis : {i — 0) Since Dq = Co, the property holds trivially. 

Induction : (i = fc + 1) The induction hypothesis is that we have built the prefix 
of p' up to D2k, and that, for all j < k, for all (£, [u, v]) £ D2J there is (£, /) G C2J 
s.t. V £ I. Let us show how to build D2k+i and £'2(/£+i)- 

• We first take care of the time transition. Let D2k+i = D2k + tk+i- Clearly, 

D2k -i' D2k+i- In p, we have C2/C -i' C2fe+i, and so C2fc+i = C2fc + tfc+i- 
It is straightforward to prove that this maintains the induction hypothesis: 

V(^, [v, v]) e D2k+i ■■ 3(£, /) e C2k+i ■■ v e I (1) 

• We must build D2k+2 corresponding to the transition D2k+i >id D2k+2- 

Letusassume that £'2fc+i = {(^1, [wi, wi ]),... (£p, [up,Up])} for some p, and let 
us assume that C2fc+i = {{£'1, I\) ,.■.,{£', I q)} for some q. Let /i : {1, . . . ,p} 1— >■ 
{1, . . . , q} be a function s.t. for all 1 < j < p: Vj E Ih{j}- This function exists, 
by ^, and we will rely on it to build D2k+2 from C2k+2- 
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In p, C2/C+1 — ^/ C2/C+2- Then, C2fc+2 G /(-E), where E = Ui<j<qEj and 
each Ej is a minimal model of d{£'p <Jk+i) with respect to Ij. Each of those 
minimal models corresponds to an arc starting from £'■, let us denote this arc by 
Qj. Remark that, for all j, Ij satisfies the guard of gj, since p is a genuine run. 

Then, we let £'2fe+2 be the configuration obtained by taking, for all I < j < p, 
the arc ah(j) from {£j, [vj,Vj]) E D2k+i- Clearly, Vj satisfies the guard g of 
ah(j), because Vj G Ih{j), by definition of h, and //j(j) satisfies g. It is also 
easy to check that D2k+2 = ^i<j<pMj, where each Mj is a minimal model of 
S{£j, CTfe+i) wrt. [vj,Vj]. Hence, D2k+i — >id D2k+2- Finally, since we fire the 
same arcs in both p and p', the resets are the same in both cases. By definition 
of the approximation function, we conclude that C2k+i and D2k+2 satisfy the 
induction hypothesis. 

This induction builds the run p' and shows that for all {£, [v,v]) e D2n, there is {£, I) g 
C2n S-t. V G I. As pis accepting, C2n is an accepting configuration and all the states it 
contains are accepting, i.e. V(£, /) G C2n, £ is an accepting location. We deduce from 
this that D2n is an accepting configuration. D 

B Proof of Theorem H 

Before proving Theorem|2] we give a precise characterisation of the bound Af ($). Let 
$ be an MITL formula in negative normal form. We define Af ($), thanks to M°°{^) 
and Af ^(<1>) defined as follows 

• if $ = cr or $ = -.0- (with ere E),thenA/($) = 2andAf°°($) = Afi($) = 0. 

• if $ = (^1 A tp2, then M{<^) = max{2, Af ^(^i) + M^{ip2)}, Af°°($) = 
M°°{ipi) + M°°{ip2) and A/i($) = M^(pi) + M^{ip2). 

• if $ = (fi W ip2, then Af('l>) = max{2, Afi((^i), Af i(<^2)}, Af°°($) = 
max{Af°°((/7i),Af°°(^2)}andAfi($) = max{Afi((^i), Afl((^2)}■ 
• if $ = (piC//(^2, then Af ($) = max{2,A//°°(93i) + Af 1(932) + 1}, Af°°($ 



(4 X 
1. 



-^fii) 



+ 2\+M'^{ipi)+M°°{ip2)™AM^{^) = A//°°(^i)+A//i((^2)- 



• 



if $ = ipitJiip2, then Af ($) = max{2, Afi(^i) + Afoo(^2) + 1}, Moo($) 



2 X 
1. 



^j +2)+Afoo((^i)+A/oo(^2)andA./i($) = A/i((^i)+Af^((^2) 



Then, let us recall useful results from llTTIITZl that enable to prove Proposition |2] 

Proposition 3 ([1 IJ). Let $ — (fiUnp2 or $ = fiUiif2 be an MITL formula and £q, 
the associated location in A^. Let 9 be a timed word. The automaton A^ Id-accepts 
6 from configuration {(£$, 0)} iff {9, 1) ^ $. 

The following corollary directly follows from Proposition [3] 
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Corollary 1. Let $ be an MITL formula, let K be a set of index and, \fk G K let 
^k = ^i,kUikV2,k or ^k'Pi,kUi^^2,k be subformulas of <^. For all k €z K, let £$j. 
the associated locations in A<^. Let 9 be a timed word and, for all k G K. Then, A<^ 
Id-accepts 9 frot7i configuration {{i^^,0)keK} iff (0,1) H A ^i.kUi^ip2,k- 

keK 

Let us now adapt this result to the cases where the automaton reads the word from 
states of the form {£, v), with v potentially ^ 0: 

Lemma 1. Let $ be an MITL formula, let K be a set of index and, \/k G K let 
^k — ^i.kUi^(p2.k or $fc = (pi,kUii^ip2,k be sub-formulas of^. For all k d K, let 
€$j. be their associated locations in A^. Let 9 be a timed word and Vk G M^ (Vfc G 
K). The automaton Aq, Id-accepts 9 from configuration {(^i^, Wfe)feeA:} ffi^^i 1) |= 
A (*^fc ~ ^k), where, for all k £ K, ^k — Vk denotes the formula obtained from $fc 
fceif 
by replacing the Ik interval on the modality by Ik — v^. 

Proof. We prove that, for all k G K s.t. the outer modality of ^k is U: ^$ /d-accept 
9 from (f$^, ,Wfc) iff 9 \= ipi,kUi^-Vkf2,k- The same arguments adapt to the U case, 
and the Lemma follows. 

Assume 9 — {a, f) with a = (Jia2 ■ ■ -Cn and f = tiT2 ■ ■ -Tn- For all v G R+, let 
9 + v denote the timed word (ct, t'), where r' = (ti -\- v){t2 + v) . . . (t„ + v). Observe 
that, by definition of the semantics of MITL, 9 \= ipiUi(p2 iff 9 + v \== tpif//+«iy92 
(remark that the ipi and ip2 formulas are preserved). 

First, assume that 9 ^ fi,kUi^^^vkf2,k and let us show that A<i. /d-accepts 9 from 
{Ut,Vk)- Since 6* |== (pi,kUi^-i,^(p2,k, 9 + Vk h fi,kUi^(p2,k = *fc- Then, by Propo- 
sition|3] A<s> Id-accepts 9 + Vk from (^^^^ , 0). Let (i'$, 0) -^ — '^^~^id Ci -^ — ^-~^id 
■ ■ ■ —^ — ") jd C„ be an accepting Id-inn of A<i, from {£<s,^, 0) on 9 -\- Vk- Obvi- 
ously, the first time step can be decomposed as follows: (£$j. , 0) -w (^£^^ , Vk) — '■ — >id 

Ci — — ^-^^id ■ ■ ■ --- — "^ id Cn, where the prefix starting in (£$j.,Ufc) is an 
accepting Id-run on 9. We conclude that A.s> Id-accepts 9 from {£is,^ , Vk). 

By using the same arguments, we can prove that A<i, Id-accepts 9 from (i'$^ , Vk) 
implies that 9 \= ^i,kUi^-vk^2,k- □ 

Let us show that Lemma [T] extends to non singular intervals: 

Lemma 2. Let $ be an MITL formula, let K a set of index and, Vfc G K, let <^k be sub- 
formulas of<^ of the form either 'fii,kUi^^2.k or (pi^kUi^(p2,k- For all k £ K, let £^^, 
be their associated locations in A<i. Let 9 be a timed word and Jk G I(R~'' ) (Vfc G K). 
The automaton A<s, Id-accepts 9 from configuration {(^$fc, Jk)keK} ff^k G K,A<^ 
Id-accepts 9 from configuration {{£<j>^. , Jfc)}- 

Proof. It is straightforward by definition of runs on ^$: the time elapsed is reported 
on each state (i?<[,j, , Jk) and the reading of a letter gives a minimal model for each state 
(^*fc 7 Jk) before to merge them into a unique new configuration. D 

Now, we recall a result from llTZl : 
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Lemma 3 ( 0121 ). Let <I> be an MITL formula and ip a sub-formula of^. Let 9 — (c, t) 
be a timed word and p : Cq = {(€$,0)} -^ Ci — ^id C2 -^ C3 — fjd . . . ^ 
C2n-i — ^id C2n on accepting Id-run 0/^$ on 0. \fl < i < n, ifC2i |=[o,o] ^{^i '^i)> 
then (6, i) |= ip. 

We can now prove Proposition |2] 
Proposition |2]: Let $ be an MITL formula, let K be a set of index and, Vfc G K, let 
$fe := fi,kUi^ip2.k be sub- formulas of (^. For all k S K, let £^^ be their associated 
locations in A^. Let 9 — (a,?) be a timed word and Jk G X(M+) closed. The 
automaton A<s> Id-accepts 9 from configuration {(^$j., Jk)keK} iff^k £ K: 3mk > 
1; {9, ruk) h <P2 A r^^ € h - inf ( Jfc) A Tm^ e 4 - sup( Jfc) A VI < m'j. < ruk : 
(0,m',)h^i- 

Proof. Thanks to Lemma |2] we only need to prove the following. Let ^ be an MITL 
formula, $ := (piUiip2 a sub-formula of ^ and ^$ its associated location in A^. Let 
9 = {a, f) be a timed word and J G I(M+) closed. The automaton A^ /li-accepts 9 
from configuration {(^$, J)} iff 3m > 1 : {9,m) |= (^22 A t^ e / — inf (J) A r„j G 
/ - sup( J) A VI < m' < m : (6', to') |= v'l. 

(=^) As automaton ^5, /d-accepts 9 from configuration {(^$, J)}, there exists an ac- 
cepting Id-mn of A^i on 6* from {(^$, J)}, say 

/^ *1 /^ Cl /^ t2 ^ CT2 *n /^ "'p /^ 

P = C-0 -^ Oi F/rf O2 ^^ O3 >Id . . . ~~> C-2n-l ^Id (-/2n, 

where Co = { (^$ , J) } and C2n is accepting. For all i, when reading ai, two transitions 
can be taken: either x.5{lp2, ct) A x £ /or x.5{ipi, a) A ipiUi(p2 A x < sup(/). Let to 
be the first position in the run where the transition x.d{(p2,cT) A a; G / is taken. Such 
a position must exist because £$ is not an accepting location but p is an accepting Id- 
run. Then, for all m' < m, when reading a^n', the transition x.S{ipi,aj) A fiUi'p2 A 
X < sup(/) is taken : it does not reset clock copies that stay in f$. So, the part of 
configuration C2m-i associated with location £^ is {{£<s>, J -\- Tm)}. As the transition 
x.6{(p2,crm) A a; e / is then taken, J + Tj^ must satisfy x € I, i.e. (by definition of 
the minimal model) Vv + T,n G J + t„i,v + t„i G /, i.e. : Vw G J, r™ G / — w and 
in particular (as J closed) t„i G / — inf( J) A r^ G / — sup(J). Moreover, as p is 
an accepting Id-mn, the part x.S((p2,crm) of the transition taken from {(^$, J + Tm)} 
corresponds to the fact that C2m H[o,o] ^{'P2, fm)- thanks to Lemma[3] we know it 
means that {9, to,) \= ip2. In the same way, with the reading of am', for 1 < m' < m, 
the transition x.S{ipi, am') A ipiUi(p2 /\ x < sup(/) was taken. As p is an accepting 
Id-mn, the part x.6{lpi, am') of the transition taken from {{iis>, J + Tm)} corresponds 
to the fact that C2m' H[o.o] ^{fi: <^m'), thanks to Lemma|3] we know it means that 
{9, m!) ^ ipi. We conclude that 3m > 1 : {9,m) ^ (^2 A Tm G / — inf (J) A r™ G 
/ - sup( J) A VI < m' < TO : (6*, to') ^ (fi. 

{<=) In the sequel, we use the following notation. Assume that 9 = {a, f), where 
a = aia2 . ■ .an and f — T1T2 . . . t„. For all 1 < fc < n, we denote by 9k = {ak, fk), 
where ak — akak+i ■ ■ -an and fk — t[t2 . . . t^^_^. the timed word such that VI < i < 
n-k,T[ =T,+fe -Tfe. 
We will construct an accepting /d-run p of A^i on 9 from configuration {(^$, J)}, say 
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Co = {{iiS>, J)} -^ Ci —^Id C2 -^ Cz -^Id ■ . ■ -^ C2n-1 -^Id C2n, where C2n 

is accepting. By hypothesis, 3m > such that (a) {9,m) ^ f2, (b) t^ E I — inf ( J) A 
Tm G /— sup(J) and (c) VI < m' < m : {9,m') \= ipi. From£$ we have two possible 
transitions x.5{(p2,o') A a; G / and x.5{(pi,a) A (piUi(p2 A x < sup(/). We construct 
p in way it consists in following the transition x.S{ipi, (t„i') A 'fiiUiLp2 /\ x < sup(/), 
VI < m' < TO, and the transition x.5{(p2,crm) A a; G / reading am- We must prove 
that p is an accepting Id-mn of ^5, on 9. 

Remark that following transition x.6{Lpi,am') A ipiUi(p2 /\ x < sup(/), VI < tti' < 
m, in particular, we loop on $ without reset of clock. It means that, VI < ni' < 
m, C2m'+i(^*) = { J + Tm'}- So, it is possible to take transition x.S{(pi,am') A 
(piUi(p2 /\ X < sup(/) reading am' from £$ because the interval associated to this 
location is then J + Tm' and satisfies the clock constraint x < sup(/) : (b) impUes 

that Tm' < Tm < SUp(/) — SUp( J), SO SUp( J) + Tm' < SUp(/), and so Vj + Tm' S 

J + Tm',j + Tm' < sup(/). Morcovcr, we know that VI < m' < m, {9, to,') ^ ipi. 
It means that, VI < ?ti' < to,, the automaton Aip-^ /d-accepts 6*™ from {{(pi.init, 0)}, 
i.e. there is an accepting W-run of A^p-^ on 0™ taking transition x.6{Lpi,am') (the 
unique transition we can take from location (fii^mit)- However, the locations of ^^^ in 
which leads x.S{(pi, am') can be assimilated to the locations of A<s, corresponding to 
the same formulas (see definitions of such automata and their locations). So, there is 
also an accepting run of A<s> on 6*™ taking transition x.6{ipi,am') (VI < m! < m). 
As transitions x.6{Lpi,am.') A LpiUi(p2 A x < sup(/) loop on £<i,, when reading am, 
the interval J + Tm is still associated to location ^$. p then consists in taking transition 
x.S{(p2,crm) A X 6 /. It is possible to take this transition reading a^ because J + Tm 
satisfies the clock constraint x E I : as Tm G / — inf ( J) A r™ G / — sup (J) and J is 
an interval, Vj G J, t„j & I — j, i.e. Vj G J, j + Tm G / and so Vw G J + t,„, v £ I- 
Moreover, we know that {9, m!) |= 1^2- It means that the automaton A^^ /d-accepts 
0™ from {(v32,mit, 0)}, i.e. there is an accepting Id-mn of ^i^^ on 0™ taking transition 
x.d{ip2T<^m) (the unique transition we can take from location ip2,init)- By the same 
argument than for ipi, there is also an accepting run of A<i, on 0™ taking transition 
x.S{ip2,crm) which enables to completely construct p. D 

Proposition 4. Let K be a set of index, Vfc G K, ^k '-= 'fii.kUi^'P2.k be MITL formu- 
las, i^^ the associated locations in an OCATA A ofOW, representing an MITL formula, 
and Jk G I(M.'^). Let 9 = (a, f) be a timed word. The automaton A Id-accepts 9 from 
configuration {(£$fe, Jk)k£K} iff^k (z K,\/v E Jk, the automaton A accepts 9 from 
configuration {(£$, [v,v])} (i.e. : Vfc E K,\/v e Jk, {9, 1) |= (pi,kUi^-vk^2,k)- 

Proof Thanks to Lemme|2l we only need to prove the following. Let $ := (pi.kUi^(p2.k 
be MITL formulas, £q, the associated location in an OCATA A of OW, representing an 
MITL formula, and J G I(M+). Let 9 — {a,f) be a timed word. The automaton 
A Id-accepts 9 from configuration {(^$, J)} iff Vw G Jk, the automaton A accepts 9 
from configuration {{U, [v,v])} (i.e. : Vu G Jk, {9, 1) |= (pi,kUi^-y^(p2.k)- 
(=>) Let k £ K and v G Jk,^^ must prove the automaton A accepts 9 from configu- 
ration {(^$, f )}. This proof is similar to proof of Proposition [T] the unique difference 
is that the initial state Dq is now {(£$, w)}. 
(<^) We have an accepting Id-mn p„ of ^ on 6* from each configuration {(£$, v)}, say 
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Co = {(^*,«)} ^ CI -^M C| ^ ... ^ C2\_i ^/d C|„. From the transi- 
tions taken along these runs, we can deduce the instants in which (pi jj and ip2,k are 
verified (See proof of Lemma [!}. We will construct an accepting Id-mn p' of A on 

6 from configuration {(£$, Jk)}, say Co = {(^$, J^)} -^ Ci -^m C2 -^ ■ ■ ■ -^ 
C2n-i — ?id C2n- Remark that the six transitions we can take on this run from £$ are 
: "a:.(5(</J2,fe, o-j) A x.5['pi^k,cFi)"\ "a;.(5(<^2,fc, ^i) A ipi,kUi^V^2,k\ "x.S{ip2Mi<7i) A a: > 
/fc", "x ^ Ik A x.(5(v?i,fe,cri)", "x ^ /fc A (pi,kUi^(p2,k' and "x ^ h A x > 4". 
So, as long as a transition containing 'Vi,fef^/fe¥'2,fc" is taken, the clock present in ^$ 
is not reset an the part of configurations C2i associated to ^$ will be {{£<j,, Jk + Ti)} 
(assuming tq = 0). We distinguish several cases to construct p' : 

• if 'P2,k is verified on each reading of a letter in K := [J Ik ~ v : then p' con- 

sists of taking the transition "x <^ Ik f\ ^i,kUii_ip2,k' on each reading of a letter 
in an instant Ti < K. In such instants, the part of configuration associated to 
£$ we are in is {(^$, Jk +''!)} and we well satisfy Vm G Jk + Ti,u ^ Ik ', else 
3m e Jfe + Ti such that u £ I and so u — t^ e J^ and u — {u — Ti) = Ti E K, 
what contradict our hypothesis. On the other hand, p' consists of taking the tran- 
sition "x.6{(p2.k, Ci) A <y5i,feC//fc¥'2,fc" on each reading of a letter in an instant in 
K. Finally, on the first reading of a letter after K, say in tj > K, p' consists of 
taking the transition "x ^ 7^ A x > Ik'- It is possible because, then, the part of 
configuration associated to £$ we are in is {{£<s>, Jk + tj)} and Vu € Jk + Tj 
: u > Ik- To prove it, suppose that 3u G Jk + Tj : u < Ik or u G Ik- On 
the first hand, if u < I, as u £ Jk + tj, 3v E J : u = v + tj < Ik, i.e. : 
3v € J : Tj < Ik — V, what contradicts that tj > K- On the second hand, if 
u G /fc, as u G Jk + Tj,3v € Jk '■ u = V + Tj G Ik, i.e. : 3v G Jk '- Tj G Ik — v, 
what contradicts that Tj > K- p' is accepting thanks to the hypothesis of this 
case. 

• else, (pi^k is verified in a certain instant in L = {u'jElu £ K : Q < u' < u}- 
Then, there exists a smallest instant Ti £ L such that (pi is satisfied in r^. More- 
over, as for each ti G Jk, {0, 1) 1= fi,kUi^-vV2,k, each instant Tj withO < j < i 
and Tj £ JiT is an instant in which (p2 must be satisfied. We must again distin- 
guish two cases: 

- If Ti < K, then p' consists of taking the transition ".x ^ /fe A fi.kUi^ip2,k' 
on each reading of a letter in an instant tj with < j < i (in such instants, 
we well satisfy Vm G Jk + tj, u ^ Ik because tj ^ K) and taking the 
transition "x ^ Ik A x.d{(pi^k, fi)" with the reading of <Ji (it is possible 
because r,; ^ A'). This run is accepting because the transitions chosen only 
verify the satisfaction of (pi^k in an instant in which we know this formula 
is verified. 

- IfT; G X, then p' consists of : taking the transition "x ^ IkAVi.kUi^(f2.k' 
on each reading of a letter in an instant Tj with < j < * and Tj ^ K (in 
such instants, we well satisfy Vu G Jk + tj, u ^ Ik because tj ^ K) ; 
taking the transition "x-S{ip2.k,o'i) A ipi.kUi^^(p2.k" on each reading of a 
letter in an instant tj with < j < i and tj £ K (we know Lp2.k is verified 
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in such instants) and taking the transition "x.5{(p2.kT<^i) A a;.5((/3i,fc, tTi)" 
with the reading of ai (it is possible because as ti e K, Lpi.k is satisfied 
in this instant). This run is accepting because the transitions chosen always 
verify the satisfaction of ^p\^k, or ^pi,u, in instants in which we know these 
formulas are verified. 

D 

Thanks to the previous results, we can now prove Theorem |2] We first recall the 
definition of Merge (S). Let S = {{i, Iq), {i, h), . • . , (^, Im)} be a set of states of 
A, all in the same location i, with, as usual /q < /i < • • ■ < /,„. Then, we let 
Merge (5) = {{£, [0,sup{h)]), {l,h). ■ • • , {ijm)] if /o = [0,0] and Merge (5) = S 
otherwise, i.e.. Merge [S) is obtained from S by grouping Iq and /i iff /q = [0, 0], 
otherwise Merge [S] does not modify S. 

Theorem |2] : For all MITL formula $, /^ is a bounded approximation function and 

Proof. The definition of /^ guarantees it is a bounded approximation function. The 
equaUty L(^$) = |$]] have akeady been established and Theorem [T] proves the in- 
clusion Lf* {Ais>) ^ L{A^). In the sequel, we so present a prove of the last needed 
inclusion: Lf*{A,s,) 3 L{A<s>). 



Let 9 — (<T, t) £ L{Ai],). There is an accepting Id-mn p of yl$ on 9, say C\ 



— 

{{£o, 0)} -^ Ci -^id C2 -^ C3 -^id ... -^ C271-1 -^id C2„. We must find an 
/|, -accepting /|, -run of Af on 6* (for fc — max{Af ($), 2.|L|}). Our proof is divided in 
two parts. In the first one, we will construct an accepting /e-run p' of A<i> on 9 (forming 
intervals following result of Proposition |2), for a certain approximation function fg 

(later, we will show that fg corresponds to /^). This run will be Dq = {(^0, JVi 
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Di -^fg D2 -^ D3 -^fg ... -^ D2n-i -^fe D2n- Simultaneously, we will 
prove that, the way we group the clock copies with fg, each location associated with a 
formula ipiUi(p2 will contain at most 4. [ '"ji ' ~\ + 2 clock copies all along p'. In the 
second step, we will deduce from the last point that p' is an accepting /^-run. 

In the sequel, we will use the following notation. Assume that 9 = (a, f), where 
a — (Ji<T2 . . .(Jn and f — T1T2 . . . t„. For all 1 < fc < n, we denote by 9k ~ {o'k, fk), 
where ak — <Tk<Tk+i . . .(Jn and f^ ~ t[t2 . . . T'^_k the timed word such that VI < i < 
n-k,T[= Ti+k -Tfe. 

Step 1 : We construct p' inductively, using p. We reduce the number of clock 
copies in the configuration reached after each reading of a letter Our method is to 
group the last clock copy associated with a location li with the previous interval asso- 
ciated with this location if it is possible, i.e. if we still have an accepting run thanks 
to Proposition[2](this corresponds to the Merge () function). In the same time, we will 
prove that, in each configuration I? = IJ D{li) reached with p', if li corresponds to 

a formula (^i[//,<P2, \\D{ti)\\ < 4.[i2|p] +2. 

The induction hypothesis (at step k-nl) is that we have an accepting run on 9: 

Dq -^ Di- ■ ■ I?2fc-1 —-^Id D2k -^ E2k+l ■ ■ ■ E2n-1 —-^Id £^2n , 
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such that VO < j < 2k,Wii S L corresponding to a formula tpiUi.tp2, we have that 
||£'j(^i)ll < 4. r^^^^l + 2 and Dafe S' £:2fe+i • • • E2n-i -^id £^2« is an accepting 
7d-run on 6''^+^. Thanks to this hypothesis, we will show how to build 



L>2k -^ U2k+1 >Id U2k+2 -^ J'2k+3 ' ' " J'2n~l >Id l'2n 



such that 



(i) Dq -^ Di- ■ ■ D2k ~-^Id D2k+l —^ D2k+2 ^^ F2k+3 ■ ■ ■ F2n-l —^Id ^2n 

is an accepting run on 0, 
(ii) V£i e L corresponding to a formula ipiUi-ip2 '■ \\D2k+2{ii)\\ < 4. [ '".j- 1 ] + 2, 

(iii) D2k+2 -i^ ^2fc+3 ■ • • F2n-i -^id -Pjn IS an accepting Id-mn on 6'''+^ 

Basis : (k=0) we define Dq = Co = {(^q, [0, 0])}. We still have an accepting Id- 
run of A<s, on 9 : p. (The number of copies in Iq will be discussed later because this 
location does not always correspond to a formula fiUi-tf2-) 

Induction : (k+1) 
We know there is an accepting Id-run of A,^ from D2k on 9^^^, say the two first 

steps of this Id-run are : I?2fe ~^ E2k+i — ->/d Ii^2(*;+i)- We define configuration 
D2k+i of p' as D2k+i '■= E2k+i- As \/ii G L corresponding to a formula (piUj^ip2, 
\\D2ki£^)\\ < 4.[2^] + 2 (induction hypothesis), we also have ||I?2/c+i(^j)ll < 
4.[i2^1 + 2. Assume that E2k+2{l^) = Ul, ■■■, JinJ- We define D2k+2 of p' as 

fe{E2k+2) = U /e(-B2fc+2(^i))' where V£i e L,/e(£'2fc+2(^.t)) is defined as follows. 

UeL 

Merge (i;2fe+2 {Q) if 3m > 1 such that : {9^+"^ , m) 1= (^2 

ie{F2k+2[t,)) - <j A (VI < m' < m : (0'=+2,m') h ^1) 

E2k+2{ii) Otherwise 

Where, as defined above. 

Merge {E2k+2{i^)) = {(4, [0, sup( J^)]), (£„ J^), (£„ 4), . . . , (£„ T^^)} 

We must prove there is an accepting Id-run of A<i> from L'2.(fe+i) == fe{E2k+2) = 
U f {F2k+2{(-i)) on 6''''+^. Let £.; e L, thanks to Proposition|2] it is sufficient to prove 

that there is an accepting Id-run of A<i, on 9^^"^ from D2.(fc+i) (^i) '-^ /e(^2fc+2(^i))- 
If /6((Ii'2fe+2(^i)) = E2k+2{^i), the accepting Id-run given by induction hypothesis on 
E2k+2{h) can always be used. Else, 

fe{E2k+2{i^)) = m, [0, sup( J^)]), {£,, J^), (^„ Jl), . . . , {£,, J'^J} 

As in this case E2k+2{£^) was {(^„ [0,0]), (^„ J^), (£„ J^), (£„ J]), . . . , 
{ii, Jm)}, the accepting Id-run given by induction hypothesis can be used from {(^i, J|), 
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{ii,Jl),...,{£i, J^j.)} C /e(i?2fe+2(4)) (thanks to Proposition|2]l and we only need to 
prove there is an accepting Id-mn of A<j, on 6/'=+2 from 
{(^„[0,sup(J^)]}. 

As in this case 3m > 1 such that : (0''"+^, m) \== ip2 At^ & h — sup{Jl) A t'„^ € 
/i A (VI < m' < m : {9''~^'^,m') \= ipi), we can conclude thanks to Proposition |2] 



We must now show that, the way we grouped clock copies with fg, \/ii G L cor- 

\i 



responding to a formula ipiUi.ip2, ||-D2/c+2(^i)|| < 4.[ '"|j i'-* ] + 2. We prove it by 



contradiction. 

Let us suppose that ||I^2fe+2(^i)|| > 4.[ '"|j | ] + 2, for a certain location £i cor- 
responding to formula ipiUi-(p2- We so have more than 2.[ '"|j | ] + 1 intervals as- 
sociated with ii in i:'2fe+2, i-e : £'2fe+2(^j) = {{^i, Jl), {^i, -^2)' ■ • ■ ^ (^»i -^mj}' for ^ 
certain rrii > 2. [ '".j | ] + 1. The way we grouped clock copies with fg, we know that 
each interval J^ , for I < j < mi, satisfies the following property : 

3kj > 1 such that : [9^+^ .kj) N (^2 A r^^. G /, - sup(jj) 
A tI^ eh- inf( Jj) A (VI < fc' < %, (6i'=+\ A:') N Lpi). (2) 

(If it is not the case anymore, p' would not be an accepting run.) Moreover, VI < j < 
rrii, we have the following property : 

Vfc^ > 1 : {e''+\k^) ^ <^2 V r^^ ^ /, - sup( Jj) V r^^ ^ /, - sup(j;_i) 

y3l<k' <k,r^,{0''^\k')^'Pl. (3) 

(If it is not the case, sup( J,'_]^) would have been grouped with J*.) 

We first claim that V3 < j < rrij, sup(Jp — sup(J^_2) ^ |/i|. We will prove it by 
contradiction. Let j* be s.t. 3 < j* < nrii and suppose that sup(JL ) — sup( Jj*_2) < 
|/,|,i.e: sup(j;.) < |/,|+sup(Jj._2)- Then (/, -sup(J]0)n(/. -sup(J]._2)) ?^ 
because these intervals have the same size, moreover, as sup(JL) > sup(JL_2), 
inf(/.i — sup(Jj*))) < inf((/i — sup(Jj*_2)) ^^^ finally : sup(/j — sup(Jj*)) = 
sup(/,)-sup(JJ*) > sup(/,)-(|/j|+sup(Jj*_2)) = sup(/,)-sup(/,,) + inf (/,,)- 
sup(J**_2) = inf(/i) - sup(Jj*_2) = inf(/i - sup(Jj*_2))- So, as sup(Jj«_2) < 
sup(J]._i) < sup(JjO, h - sup(Jj._i) C (/, - sup(JjO) U [h - sup(Jj._2))- 
Equation ^, letting j = j* implies that r^ ^ E Ii — sup(J**_j^), so t(, ^ G 

(Ji— sup(Jj*))U(/i— sup(Jj*_2))- Though,ifT^^ G (/i — sup(Jj*)), we contradict 
^ in j* taking km — fcj*_i (thanks to the definition of fcj»_i) ; and if r(. ^ G 

{Ii — sup(JL_2)), we contradict ^ in for j — j* — I taking /c,„ = kj*^i (thanks to 
the definition of /cj* _i). 

We now know that V3 < j < rrii, sup(Jj) — sup(Jj_2) > \Ii\- So, sup(J'„.) — 
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sup(Jl) > \ 



(mi-2) - 
2 



.ILL As mi > 2. 



up(/. 



1, we have that: 



sup(J* )-sup(J^) > 



■(2. 


sup(/ 

l-fil 


i 


+ 1-2)' 


"sup(/i)" 


Tsup(/,)' 


2 


1] 
2 


•l^»|- 



\I^\>supiI,). 



It means that sup(J^.) — sup(JJ) > sup(/i), and hence sup(J^.) > sup(/i). It is 
a contradiction because if sup( J^j ) > sup(Jj), we can not have an accepting Id-mn 
from {{£i, sup( J^ ))} and therefore neither from I?2fc+2, while we have just proved it 
is the case. 



So far, we have showed that \fe e L,\/l < j < n : \\Dj {£^)\\ < 4. \-rj 



inUJi)- 



2. So, 



the bound we have on the run is £|.4.[ '"|j | ] + 2. In Step 2, we will show we can 
improve this bound by il/($) and so conclude that our /e-run is in fact an f^-mn. 

Case tfiUi^tf2 : The arguments are similar to the U case, using Proposition^ The 
bound found is the following : \/£ ^ L associated to a formula of the form (piUi-ip2, 
VI < j < 71 : IlL'jl^OII < 2. r^^^pl + 2. Remark that, to prove this case, we must 
assume the following property on p: for all < i < 2n, for all £ corresponding to a 
sub-formula of the form LpiUiLp2, for all J G Ci{£): inf(J) < sup{I). Remark that 
this is always possible, because if an interval J is present in a location £ corresponding 
to ipiUiip2, with inf{J) > sup{I), the sac {£,a,x ^ I Ax > sup{I)) can be taken for 
all a e E. 

Step 2 : 
We still must prove that p' is an accepting /|-run : thanks to Step 1, it remains to 
prove that each configuration reached by p' contains at most M($) clock copies. By 
definition of the transitions starting from the initial location (/5mi(.#, at most two clock 
copies will be associated with this location (because the initial state is { (£o j [0 j 0] ) }) and 
it will have no clock copy associated with this location anymore as soon as clock copies 
are sent towards other locations. Moreover, all other locations of A^ are locations 
associated with sub-formulas of $ of type (piUi-(p2 '■ we know such a location contains 
at most 4. [ '"^ | ] +2 clock copies all along p' . Remark that the transition starting from 
thelocationof a formula </Jit//(/32 is (a;.(5((/52,tT)Aa; G I)'V{x.5{ipi,<7)AipiUnp2Ax < 
sup(/)) : it means that S{ipi, a) is taken a lot of times while (5((/32, cr) is only taken 
once. It is why we distinguish in the definition of A/(<I>) the maximal number of copies 
present in configurations reached by p' : ( 1 ) to verify a sub-formula (^ of $ that receives 
a lot of clock copies (2) to verify a sub-formula (p of ^ that receives at most one clock 
copy (3) to verify (/? = $, with the complete automaton Aip. 

It is not difficult to be convinced that a proof by induction on the structure of $ 
enables to show that each configuration of A<s, reached by p' contains at most A/($) 
clock copies. 

D 
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C Towards a timed automaton 

Let $ be an MITL formula, and assume A<i, — (S, L* , Iq , i^* , (^*). Let us show how 
to build the TA ;B$ = (T,, L^Iq^X, F,S) s.t. L{B^) = i/j(^$). The components 
of B<s> are as follows. For a set of clocks X, we let \oc{X) be the set of functions S 
that associate to each £ G i* a finite sequence (xi, j/i), . . . , (x„, j/„) of pairs of clocks 
from X, s.t. each clock occurs only once in all the S{£). Then: 

• L ~ loc(X). Intuitively, a configuration (S*, u) of B$ encodes the configuration 
Cof^<i.s.t. forall^ei*: C{1) ^ {[v{x),v{y)] \ {x,y) (^ S{1)]. 

• £o is s.t. ^0(^0 ) ~ (^' y)' where x and y are two clocks arbitrarily chosen from 
X, and £o(^) = for all ^ e L* \ {£*}. 



• 



• 



X is a set of clocks s.t. \X\ = M($). 

F is the set of all locations S s.t. {^ | 3(1) y^ 0} C i^*. 



Finally, we must define the set of transitions 6 to let B^ simulate the executions of A^ . 
First, we observe that, for each location £ € L*, for each cr S S, all arcs in (5* are either 
of the form {£, a, true) or {£, a, false) or of the form (^£,a,£Ax.{£iA- ■ •A£k)Ag) oioi 
the form (^£, ct, x.(^i A • • • A £fe) A g), where g is guard on x, i.e. a finite conjunction of 
clock constraints on x. Let S G Config (,8$) be a configuration of Z?$, let £ G i*, let 
(J G S be a letter. Let {x, y) be a pair of clocks occurring in S{£) and let us associate to 
this pair an arc a of J* of the form {£,a,j). Then, we associate to a a guard guard (a), 
and two sets reset (a) and loop (a), defined as follows: 

• if 7 G {true, false}, then, guard (a) = a and reset (a) = loop (a) = 0. 

• if 7 is of the form x.{£i A • • • A £k) A g, then guard (a) = g, reset (a) = 
{£1,..., 4} and loop (a) ==0. 

• if 7 is of the form £ A x.{£i A • • • A i?fc) A g, then guard (a) = g, reset (a) = 
{£i,...,^fe}andloop(a) == {{x,y)}. 

Thanks to those definitions, we can now define S. Let S* be a location in L, and assume: 

{(^i,a;i,yi),...,(4,a;fe,yfe)} = {{£,x,y) \ {x,y) G 5(£)} 
Then {S, (y,g,r, 5') G (5 iff there are: a set ^ = {ai, . . . ,ak} of arcs s.t.: 

• for all 1 < i < fc: fli is an arc of (5* of the form (£, cr, 7^), associated to (xi,yi). 

• For each £ G L*, we let 5^ = (x[, y'i)(x'2, 2/2) '' ' (^^m; 2/™) be obtained from 
S'(£) by deleting all pairs {x, y) ^ Ui<i<fe l°°P ("^i)- Then, for all £ G L*: 

S'{i)(^{{x,y)-SfAx,y[){x'2,y'2)---{x'^,y'J] if £ e (J reset(a,) 

5"(£) = ^^ Otherwise 

When S'{£) ^ {x, y) ■ Si, we let Re = {x, y}; when 5'(£) = [x, j/i ) (x^ , y^ ) • • • 
i^'m^ym)' we let i?£ = {x}; and we let i?£ = otherwise. 
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• .9 = Ai<j<fe(guard (a,) {xjx^] A guard (aC) \xlyi\)- 

• r = U),(zLi>Ri. 

For all MITL formula $, let 1$ be the set of all the intervals that occur in $. Then: 
TheoremU For all MITL formula $, B* has M($) clocks and 0((|$|)(™l*l)) toco- 



/ioni, where m = max/gj^ -^ 2 x 



inf(/) 

\I\ 



1, 



sup(^) l I 1 \ 



froo/ By definition of S$, \X\ = M{<^) = 0{2.m.\^\). Moreover, one location 
of this automaton is an association, to each location i of A<s,, of a finite sequence 
{xi, j/i), . . . , {xn, Vn) of pairs of clocks from X such that each pair is associated to a 
unique I. In other words, each couple of clocks {xi,yi) can be associated to : either 
one and only one of the £ ^ L ot to no £ € L. We so have \L\ + 1 possibilities of 



j\/('^) 



association of each pair {xi,yi) and we have — g— ^ such pairs. So, B$ has (|L| + 1 
locations, i.e. : O (d^l)"-!*!) = O (2"l*M°92(|*|)j (because \L\ = 0(|$|) and 
Af($) = 0(2.m.|$|)). 

We prove that B$ recognizes |$| by mapping each configuration of B,s> to a con- 
figuration of A<s> and conversely and that this mapping is consistent with all runs. 

First, let {S, v) be a configuration of B^, we map it to the following configuration of 
A<j,. We know that y£ £ L, S{£) is a finite sequence {xi,yi), . . . , (a;„, y„) of pairs of 
clocks from : it corresponds to the (unique) configuration of A<i,, C = UfeL C'(£) 
where C{£) — {[v{x),v{y)]\{x,y) S S{£)}. It is straightforward to see that, if 

{S, v) ~-> (5', v') and {S, v) is mapped to C, there exists C" such that C -^ C and C" is 
mapped to {S, v). Moreover, we claim that, if (5, v) — ;> (S", u')and {S, v) is mapped to 
C, there exists C" such that C — >/* C" and C" is mapped to (5, w). This holds because, 

if (5, w) — > (5', v'), we can use the arc a S 5*(£, a) associated (x, y) G 5'(^) to find 
a minimal model of the state (£, [v{x), v{y)]) of C, this way, we reach a configuration 
C" of Aii, that is mapped to (5', u') thanks to the definition of (5 : corresponding clocks 
are reset in the same time ; we verify the same guards on corresponding clocks ; the 
configuration we can reach in B^ corresponds, for each location £ E L whose smallest 
associated interval is [0,0], to group or not this interval with the second associated with 
£, what correspond to the configurations of Aq> we can reach from C 

Second, let C be a configuration of A^, we map it to the set of all (5, v) s.t. for all 
£ e L: C{£) = {/f, /!,...,/„} mv{xi) = inf(/i), «(yi) - sup(/i),. . . , i>(x„) = 
inf (/„), v{yn) — sup(/„). Observe that there are indeed several configurations (S*, v) 
of ;B$ that satisfy this definition: they can all be obtained up to clock renaming. To 
keep a consistence in our runs, we must only choose the corresponding configuration 
of i3$ such that: once a pair of clocks is associated to an interval Ij of C{£), if Ij 
is still in C'{£), the same clocks represents its bounds. In the same way, when an 
interval /,' of the form [0, sup(/j)] is in C'{£), the same clocks represents its bounds. 
In contrary, when a new interval Ij{~ [0,0]) is associated to C{£), we can arbitrary 
choose which unused pair of clocks {xi,yi) will represent it. Thanks to this trick, we 
can proof properties similar those of the first step. D 
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